[selinux-policy: 2976/3172] Use relabel permission sets where possible.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:24:56 UTC 2010
commit 83029ff3c562353395850162a9ea9def25f4254f
Author: Dominick Grift <domg472 at gmail.com>
Date: Wed Sep 15 14:57:02 2010 +0200
Use relabel permission sets where possible.
Signed-off-by: Dominick Grift <domg472 at gmail.com>
policy/modules/admin/logrotate.te | 2 +-
policy/modules/admin/prelink.te | 2 +-
policy/modules/kernel/terminal.if | 6 +++---
policy/modules/services/lpd.if | 2 +-
policy/modules/services/puppet.te | 8 ++++----
policy/modules/services/rpc.if | 2 +-
policy/modules/services/virt.te | 4 ++--
policy/modules/system/authlogin.if | 2 +-
policy/modules/system/logging.if | 4 ++--
policy/modules/system/userdomain.if | 2 +-
10 files changed, 17 insertions(+), 17 deletions(-)
---
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 23ef05f..dd4cd30 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -127,7 +127,7 @@ cron_search_spool(logrotate_t)
mta_send_mail(logrotate_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index cdbadda..0faba2a 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -63,7 +63,7 @@ files_search_var_lib(prelink_t)
# prelink misc objects that are not system
# libraries or entrypoints
-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index f9930a3..87a6942 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -336,7 +336,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file { relabelfrom relabelto };
+ allow $1 console_device_t:chr_file relabel_chr_file_perms;
')
########################################
@@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
')
########################################
@@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { relabelfrom relabelto };
+ allow $1 ttynode:chr_file relabel_chr_file_perms;
')
########################################
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index a4f32f5..d801ec0 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
')
files_search_spool($1)
- allow $1 print_spool_t:file { relabelto relabelfrom };
+ allow $1 print_spool_t:file relabel_file_perms;
')
########################################
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 3588ebb..9587224 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
-allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index b0eac5b..b65be0c 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
- allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index f38e1ce..5d16d55 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index bd3185e..5819211 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
- allow $1 shadow_t:file { relabelfrom relabelto };
+ allow $1 shadow_t:file relabel_file_perms;
typeattribute $1 can_relabelto_shadow_passwords;
')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index aa09d1c..453377e 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
- allow $1 logfile:dir { relabelfrom relabelto };
- allow $1 logfile:file { relabelfrom relabelto };
+ allow $1 logfile:dir relabel_dir_perms;
+ allow $1 logfile:file relabel_file_perms;
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c67c8e8..0a771a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',`
type user_home_t;
')
- allow $1 user_home_t:file { relabelto relabelfrom };
+ allow $1 user_home_t:file relabel_file_perms;
')
########################################
More information about the scm-commits
mailing list